Rina Steenkamp - Privacy and technology
[Memorandum Opinion [Klayman et al. v. Obama et al.] | Liberty and security in a changing world | What information do data brokers have on consumers, and how do they use it? | A review of the data broker industry - collection, use and sale of consumer data for marketing purposes | Ten commandments of internet law revisited - basic principles for internet lawyers | Biometrics - friend or foe of privacy? | Cryptography as a service in a cloud computing environment | Privacy-preserving charging for eMobility | Rolling plan for ICT standardisation (2013) | UK cyber security standards - Research report | 2013 Information security breaches survey - Technical report | According to the Advocate General [...] the Data Retention Directive is incompatible with the Charter of Fundamental Rights | How these 5 dirtbags radically advanced your digital rights | New documents show how the NSA infers relationships based on mobile location data | The FBI's next generation identification program - Big Brother's ID system? | Chilling effects - NSA surveillance drives U.S. writers to self-censor | "Small" breach, big harm. | View from the precipice - Mobile financial malware | Security threat report 2014 - Smarter, shadier, stealthier malware | ENISA threat landscape 2013 - Overview of current and emerging cyber-threats | How the Bitcoin protocol actually works | Digital evidence, digital investigations and e-disclosure - A guide to forensic readiness for organisations, security advisers and lawyers | Foreign surveillance and human rights | Digital activism and non-violent conflict | Mayority is not enough - Bitcoin mining is vulnerable | Serious security - How to store your users' passwords safely | Security of eGovernment systems | Cloud standards coordination - Final report | Security breach notification chart | Special Eurobarometer 404 - Cyber security | [...] on the functioning of the Safe Harbour from the perspective of EU citizens and companies established in the EU | Problems with the FISC's newly-declassified opinion on bulk collection of internet metadata | Our government has weaponized the internet. Here's how they did it | Eyes wide open | Information resellers - Consumer privacy framework needs to reflect changes in technology and the marketplace | Aiding surveillance - An exploration of how development and humanitarian aid initiatives are enabling surveillance in developing countries | An experiment in hiring discrimination via online social networks | LG Smart TVs logging USB filenames and viewing info to LG servers | Is UK college's RFID chip tracking of pupils an invasion of privacy? | Security certification practice in the EU | Good practice guide for securely deploying governmental clouds]
Opinion by Richard J. Leon.
The 'Conclusion':
"This case is yet the latest chapter in the Judiciary's continuing challenge to balance the national security interest of the United States with the individual liberties of our citizens. The Government, in its understandable zeal to protect our homeland, has crafted a counterterrorism program with respect to telephone metadata that strikes the balance based in part on a thirty-four year old Supreme Court precedent, the relevance of which has been eclipsed by technological advances and a cell phone-centric lifestyle heretofore inconceivable. In the months ahead, other Article III courts, no doubt, will wrestle to find the proper balance consistent with our contitutional system. But in the meantime, for all the above reasons, I will grant Larry Klayman's and Charles Strange's request for an injunction and enter an order that (1) bars the Government from collecting, as part of the NSA's Bulk Telephony Metadata Program, any telephony metadata associated with their personal Verizon accounts and (2) requires the Government to destroy any such metadata in its possession that was collected through the bulk collection program. However, in light of the significant national security interests at stake in this case and the novelty of the constitutional issues, I will stay my order pending appeal. In doing so, I hereby give the Government fair notice that should my ruling be upheld, this order will go into effect forthwith. Accordingly, I fully expect that during the appellate process, which will consume at least the next six months, the Government will take whatever steps necessary to prepare itself to comply with this order when, and if, it is upheld. Suffice it to say, requesting further time to comply with this order months from now will not be well received and could result in collateral sanctions."
Read more:
See also:
Media coverage:
Report and recommendations of The President's Review Group on Intelligence and Communications Technologies.
From 'Principles' in the Executive Summary:
"The United States Government must protect, at once, two different forms of security: national security and personal privacy. In the American tradition, the word 'security' has had multiple meanings. In contemporary parlance, it often refers to national security or homeland security. One of the government’s most fundamental responsibilities is to protect this form of security, broadly understood. At the same time, the idea of security refers to a quite different and equally fundamental value, captured in the Fourth Amendment to the United States Constitution: 'The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated ...'. Both forms of security must be protected. [...] The idea of 'balancing' has an important element of truth, but it is also inadequate and misleading. It is tempting to suggest that the underlying goal is to achieve the right 'balance' between the two forms of security. The suggestion has an important element of truth. But some safeguards are not subject to balancing at all. In a free society, public officials should never engage in surveillance in order to punish their political enemies; to restrict freedom of speech or religion; to suppress legitimate criticism and dissent; to help their preferred companies or industries; to provide domestic companies with an unfair competitive advantage; or to benefit or burden members of groups defined in terms of religion, ethnicity, race, and gender."
Read more:
See also:
Media coverage:
Testimony before the Senate Committee on Commerce, Science, and Transportation, by Pam Dixon (World Privacy Forum).
From 'Introduction & Summary':
"What do a retired librarian in Wisconsin in the early stages of Alzheimer's, a police officer, and a mother in Texas have in common? The answer is that all were victims of consumer data brokers. Data brokers collect, compile, buy and sell personally identifiable information about who we are, what we do, and much of our 'digital exhaust.' We are their business models. The police officer was 'uncovered' by a data broker who revealed his family information online, jeopardizing his safety. The mother was a victim of domestic violence who was deeply concerned about people finder web sites that published and sold her home address online. The librarian lost her life savings and retirement because a data broker put her on an eager elderly buyer and frequent donor list. She was deluged with predatory offers. These people - and 320 million others in the United States - are not able to escape from the activities of data brokers. Our research shows that only a small percentage of known consumer data brokers offer a voluntary opt out. These opt outs can be incomplete, extremely difficult, and must typically be done one-by-one, site-by-site. Often, third parties are not allowed to opt individual consumers out of data brokers. This state of affairs exists because no legal framework requires data broker to offer opt out or suppression of consumer data. Few people know that data brokers exist, and beyond that, few know what they do."
Read more:
See also:
Media coverage:
A Committee Majority staff report by the U.S. Senate, Committee on Commerce, Science, and Transportation.
From the Executive Summary:
"This Committee Majority staff report focuses on data broker activities that are subject to far less statutory consumer protection: the collection and sale of consumer data specifically for marketing purposes. In this arena, data brokers operate with minimal transparency. One of the primary ways data brokers package and sell data is by putting consumers into categories or 'buckets' that enable marketers – the customers of data brokers – to target potential and existing customers. Such practices in many cases may serve the beneficial purpose of providing consumers with products and services specific to their interests and needs. However, it can become a different story when buckets describing consumers using financial characteristics end up in the hands of predatory businesses seeking to identify vulnerable consumers, or when marketers use consumers' data to engage in differential pricing. Further, the data breaches that have repeatedly occurred in this industry and with others in the data economy underscore the public's need to understand the volume and specificity of data consumer information held by data brokers."
Read more:
Media coverage:
A paper by Arno R. Lodder.
From the Abstract:
"The connection between knowledge of the law and understanding of the Internet is one of constant interaction. Scholars can approach Internet Law basically from two angles. First, the classic legal approach is to start with the legal norm, and see whether internet phenomena are covered by existing norms, either applied straightforwardly or after interpretation. If no existing norm can be applied, the situation can be left unregulated or if desirable new norms can be designed. Second, the internet can be taken as starting point, so to think about possible norms without considering the existing normative framework. This approach can lead to new, refreshing insights. Both approaches have their merits. This paper introduces a set of principles for all Internet Lawyers a set of principles, called the Ten Commandments of Internet Law."
Read more:
Media coverage:
A paper by Privacy International.
From 'VIII. Conclusion':
"In developing countries, biometric technology is increasingly seen as an effective tool for facilitating access to social rights but also as a means to strengthen democracy through establishing legal identities for all individuals, thus facilitating access to rights such as voting and opening bank accounts. However, its deployment in developing countries raises several serious concerns for the human rights of citizens. First, such technologies are currently often being in deployed in a legal void as privacy rights upheld in national constitutions are not being respected in practice and additional data protection safeguards are failing to match the technological advancements or are simply inexistent."
Read more:
Master's thesis by Hugo A.W. Ideler.
From the Abstract:
"Nowadays, a serious concern about cloud computing is the protection of clients' data and computations against various attacks from the cloud provider's side as well as outsiders. Moreover, cloud consumers are rather limited in implementing, deploying and controlling their own security solutions in the cloud. In this thesis, we present a cloud architecture which enables cloud consumers to securely deploy and run virtual machines in the cloud, in which the complete deployment lifecycle is considered, and with a special focus on both the malicious insider as well as the external attacker."
Read more:
Master thesis by Christina Höfer.
Abstract:
"As the demand for sustainable, low-carbon driving solutions is increasing, the electrification of vehicles, called electro mobility or short eMobility, is the next big milestone for the automotive industry. Vehicle manufactures, power grid operators and energy companies are devising approaches to integrate electrical vehicles with the power grid. Connecting electrical vehicles to the energy grid and the Internet poses several advantages for the driver, vehicle manufacturers and grid operators. Yet, these approaches need to be compatible, secure and privacy-preserving. This master thesis investigates the security and privacy challenges of electric mobility and focuses on the design, implementation, and evaluation of a privacy-enhancing charging solution for electric vehicles."
Read more:
A report by the European Commission.
From the executive introduction:
"The Rolling Plan provides a multi-annual overview of the needs for preliminary or complementary ICT standardisation activities to undertake in support of the EU policy activities. It is adressed to all ICT Stakeholders and gives a transparent view on how the policies are planned to be practically supported."
Read more:
A report by PwC (Department for Business Innovation & Skills).
From the Executive Summary:
"The number of standards relating to cyber security in some form exceeds 1,000 publications globally. This makes for a complex standards landscape. Despite the quality and general applicability of most individual standards, there was no comprehensive standard identified that provided a ‘one size fits all’ approach. Conversely the complex landscape made it difficult for organisations to identify the standards relevant to their organisation and business activities. [...] While many organisations implement cyber security standards to some degree, the majority partially implement the controls deemed relevant and self-certify this compliance. Only a small proportion invests in gaining external certification."
Read more:
Media coverage:
A report by PwC (Department for Business Innovation & Skills).
From the Executive Summary:
"The number of security breaches affecting UK business continues to increase. [...] The rise is most notable for small businesses; they’re now experiencing incident levels previously only seen in larger organisations. [...] In total, the cost to UK plc of security breaches is of the order of billions of pounds per annum - it’s roughly tripled over the last year."
Read more:
Media coverage:
A press release by the Court of Justice of the European Union.
From the text:
"In his Opinion delivered today, Advocate General Pedro Cruz Villalón, takes the view that the Data Retention Directive is as a whole incompatible with the requirement, laid down by the Charter of Fundamental Rights of the European Union, that any limitation on the exercise of a fundamental right must be provided for by law. According to the Advocate General, the Directive constitutes a serious interference with the fundamental right of citizens to privacy, by laying down an obligation on the providers of telephone or electronic communications services to collect and retain traffic and location data for such communications."
Read more:
Media coverage:
A blog post by David Kravets (Wired Threat Level).
From the text:
"Consider the following exhibits: a cocaine dealer, a child pornographer, a purveyor of suspect penis-enlargement pills, and two accused hackers. The courtroom challenges they brought resulted in rulings that dramatically expanded your rights, from helping to keep your email and whereabouts private to reducing gadget searches at the U.S. border and limiting the legal definition of unlawful hacking."
Read more:
An article by Ashkan Soltani and Barton Gellman.
From the article:
"Everyone who carries a cellphone generates a trail of electronic breadcrumbs that records everywhere they go. Those breadcrumbs reveal a wealth of information about who we are, where we live, who our friends are and much more. And as we reported last week, the National Security Agency is collecting location information in bulk — 5 billion records per day worldwide — and using sophisticated algorithms to assist with U.S. intelligence-gathering operations. How do they do it? And what can they learn from location data?"
Read more:
Media coverage:
An article by Epic.org.
From the article:
"The Federal Bureau of Investigation (FBI) is developing a biometric identification database program called "Next Generation Identification" (NGI). When completed, the NGI system will be the largest biometric database in the world. The program is of particular interest to EPIC because of the far-reaching implications for personal privacy and the risks of mass surveillance.The vast majority of records contained in the NGI database will be of US citizens. The NGI biometric identifiers will include fingerprints, iris scans, DNA profiles, voice identification profiles, palm prints, and photographs. The system will include facial recognition capabilities to analyze collected images. Millions of individuals who are neither criminals nor suspects will be included in the database."
Read more:
Media coverage:
Research conducted by The FDR Group (PEN).
From the 'Introduction':
"Writers are not only overwhelmingly worried about government surveillance, but are engaging in self-censorship as a result: 28% have curtailed or avoided social media activities, and another 12% have seriously considered doing so.24% have deliberately avoided certain topics in phone or email conversations, and another 9% have seriously considered it. 16% have avoided writing or speaking about [a] particular topic, and another 11% have seriously considered it."
Read more:
Media coverage:
A blog post by PHIprivacy.net.
From the text:
"I recently noted a privacy breach at Northern Inyo Hospital in California. It was one of those 'small breaches' (i.e., less than 500 affected) that don't get reported on HHS's public-facing breach tool, but it really created distress for its victim. In discussing the breach, I noted my surprise at a statement the patient made that she might have to move to another community as she no longer had trust in the hospital and was worried about how information about her accessed by the employee might be used against her. [...] The patient [...] kindly reached out to me to discuss the case and her decision to move away."
Read more:
A report by Ken Baylor (NSS Labs).
From 'Overview':
"Mobile banking is undergoing tremendous growth as customers increasingly choose smart devices over bank tellers. This has resulted in banks closing branches and investing in online services. However, while banks are profiting from online banking and mobile banking, so too are the cyber criminals that target these services with highly specialized financial malware. In order to defend themselves from the man in the browser (MITB) attacks that are plaguing online banking, financial institutions are depending more and more on mobile devices as secondary authentication factors."
Read more:
Media coverage:
A report by Sophos.
From the Foreword:
"Reflecting on the security and threat landscape of 2013, one trend that stands out is the growing ability of malware authors to camouflage their attacks. Widespread dissemination of advanced botnet and exploit kit source code allows more malware authors to create innovative and diverse new attacks."
Read more:
Media coverage:
A report by Louis Marinos (ENISA).
From the Executive Summary:
"The year 2013 has brought big news, significant changes and remarkable successes in the cyber-threat landscape. Among the dynamic developments and changes that happened, there is one thing that has remaained stable: the race between defenders and adversaries has continued and will continue in the future."
Read more:
Media coverage:
A blog post by Michael Nielsen (Data-driven intelligence).
From the blog post:
"Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We’ll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction."
Read more:
Media coverage:
A guide by Peter Sommer (IAAC).
From the Foreword:
"When confronted by a corporate 'incident' that requires investigation, a surprising number of competing demands soon make themselves apparent. Owners, directors, and managers need to understand and explain to all employees that knowledge and data are key business assets, to be developed and protected accordingly. They need to understand the key strategic and management issues, the extent and nature of their obligations and the implications, in terms of resources and processes. The guide draws key lessons from conventional disaster recovery situations, pointing out that main boards should maintain supervision, ensuring adequacy of reporting, having delegated action to a specialist team. The detailed role of senior management is set out. This new version addresses the challenges of today’s perimeter-less business, with its dependence on the Internet, Cloud Computing services and mobile working with Bring Your Own Device policies and the use of Social Networking. It takes account of amendments to law, placing measures requiring businesses to assist law enforcement agencies in the handling of encrypted material; extensions to the law involving pornographic material; and changes covering the disclosure of documents in electronic form during civil proceedings."
Read more:
See also:
Media coverage:
A series of blog posts by Marko Milanovic (EJIL: Talk!).
From the Introduction:
"The past few weeks have seen increasing discussions of how human rights treaties might apply to mass electronic surveillance programs as run e.g. by the NSA and GCHQ or the agencies of the other 'Five Eyes' countries. [...] This is [...] a series of posts on the application of human rights treaties to foreign surveillance. The main focus of the series is on the threshold question of whether human rights treaties would apply at all to extraterritorial interferences with privacy."
Read more:
See also:
A report by Frank Edwards, Philip N. Howard and Mary Joyce.
From the Executive Summary:
"In order to analyze digital activism, we investigated hundreds of campaigns from around the world and assembled protest event data more comprehensive than any previously collected. We define a digital activism campaign as an organized public effort, making collective claim(s) on a target authority(s), in which civic initiators or supporters use digital media. With a team of over 40 coders, reviewing hundreds of cases and two decades of digital activism, we used the highest of social scientific standards to build the best available data set on one of the most important trends in global politics."
Read more:
See also:
A paper by Ittay Eyal and Emin Gün Sirer.
From a blog post by the authors:
"Bitcoin is broken. And not just superficially so, but fundamentally, at the core protocol level. We're not talking about a simple buffer overflow here, or even a badly designed API that can be easily patched; instead, the problem is intrinsic to the entire way Bitcoin works. All other cryptocurrencies and schemes based on the same Bitcoin idea, including Litecoin, Namecoin, and any of the other few dozen Bitcoin-inspired currencies, are broken as well. Specifically, in a paper we placed on arXiv, Ittay Eyal and I outline an attack by which a minority group of miners can obtain revenues in excess of their fair share, and grow in number until they reach a majority. When this point is reached, the Bitcoin value-proposition collapses: the currency comes under the control of a single entity; it is no longer decentralized; the controlling entity can determine who participates in mining and which transactions are committed, and can even roll back transactions at will. This snowball scenario does not require an ill-intentioned Bond-style villain to launch; it can take place as the collaborative result of people trying to earn a bit more money for their mining efforts."
Read more:
See also:
A blog post by Paul Ducklin (Naked Security).
From the blog post:
"Just to clarify: this article isn't a programming tutorial with example code you can copy to use on your own server. Firstly, we don't know whether your're using PHP, MySQL, C#, Java, Perl, Python or whatever, and secondly, there are lots of articles already available that tell you what to do with passwords. We thought that we'd explain, instead."
Read more:
A report by Anders Jacobi, Mikkel Lund Jensen, Linda Kool, Geert Munnichs and Arnd Weber (European Parliament).
From the Executive Summary:
"The project has analysed and discussed the security of eGovernment systems and services, paying special attention to the possibilities of future EU eGovernment services, by: gathering typical examples of existing national and international eGovernment services in Europe; analysing the most relevant security issues and possible responses/solutions to these issues; debating policy options for advancing EU eGovernment services; and assessing and delivering specific policy options."
Read more:
Media coverage:
A report by ETSI.
From the Executive Summary:
"Regarding fragmentation, the analysis has concluded that cloud standardization is much more focused that anticipated. In short: the Cloud Standards landscape is complex but not chaotic and by no means a 'jungle'. Though several cloud computing standards have seen successful adoption in small-scale and research projects, cloud computing-specific standards are not seen widespread adoption by cloud providers to date. However, given its dynamism, Cloud Standardization will likely mature in the next 18 months. Adoption may be encouraged if mechanisms are found for domainspecific stakeholders to agree on shared vocabularies and formal definitions that are machine readable. Important gaps in the cloud computing standards landscape have been identified. New cloud computing standards, or cloud computing specific extensions to existing standards that fill these gaps should be encouraged. The legal environment for cloud computing is highly challenging. Research into standardized ways of describing, advertising, consuming and verifying legal requirements is necessary. Solutions need to accommodate both national and international (e.g. EU) legal requirements."
Read more:
Media coverage:
A chart maintained by Perkins Coie.
From the main page:
"Perkins Coie's Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification. The chart is for informational purposes only and is intended as an aid in understanding each state's sometimes unique security breach notification requirements."
Read more:
See also:
A report by TNS Opinion and Social (European Commission, Directorate-General Home Affairs).
From the press release:
"Internet users in the EU are very concerned about cyber-security, according to a Eurobarometer survey published today. 76% agree that the risk of becoming a victim of cybercrime has increased in the past year, more than in a similar study from 2012. 12% of Internet users have already had their social media or email account hacked. [...] Encouragingly, more EU citizens feel well informed about the risks of cybercrime compared to 2012 (44% - up from 38%). However, it appears that they do not always draw all the necessary consequences from that information. For example, less than half of internet users have changed any of their online passwords during the past year (48% - slightly better than 45% in 2012)."
Read more:
Media coverage:
Communication to the European Parliament and the Council, by the European Commission.
From '1. Introduction':
"[T]he current Safe Harbour decision allows free transfer of personal information from EU Member States to companies in the US which have signed up to the Principles in circumstances where the transfer would otherwise not meet the EU standards for adequate level of data protection given the substantial differences in privacy regimes between the two sides of Atlantic. The functioning of the current Safe Harbour arrangement relies on commitments and self-certification of adhering companies. Signing up to these arrangements is voluntary, but the rules are binding for those who sign up. [...] This fundamental basis of the Safe Harbour has to be reviewed in the new context of: a) the exponential increase in data flows which used to be ancillary but are now central to the rapid growth of the digital economy and the very significant developments in data collection, processing and use, b) the critical importance of data flows notably for the transatlantic economy, c) the rapid growth of the number of companies in the US adhering to the Safe Harbour scheme which has increased by eight-fold since 2004 (from 400 in 2004 to 3,246 in 2013), d) the information recently released on US surveillance programmes which raises new questions on the level of the protection the Safe Harbour arrangement is deemed to guarantee. Against this background, this Communication takes stock of the functioning of the Safe Harbour scheme."
Read more:
See also:
Media coverage:
An analysis by Orin Kerr (Lawfare).
From the text:
"Yesterday afternoon, the DNI declassified an 87-page FISC opinion authored by Judge Kollar-Kotelly that had allowed a bulk Internet metadata collection under FISA's version of the Pen Register statute, 50 U.S.C. 1842. In plain English, the government published a previously-secret opinion that had allowed for the bulk collection of non-content Internet metadata under a statute that provides very low levels of privacy protection. The program is now defunct, but the opinion gives us another chance to analyze the quality of legal analysis produced by the FISC. I've read the opinion, and I find its analysis quite strange. In this post, I'll explain why I find the opinion a head-scratcher."
Read more:
See also:
Media coverage:
An article by Nicholas Weaver (Wired).
From the text:
"If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgacom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own. Which means the rest of us - and especially any company or individual whose operations are economically or politically significant - are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector. Here's how it works."
Read more:
Media coverage:
A report by Privacy International.
From the Executive Summary:
"The Five Eyes alliance of States - comprised of the United States National Security Agency (NSA), the United Kingdom's Government Communications Headquarters (GCHQ), Canada's Communications Security Establishment Canada (CSEC), the Australian Signals Directorate (ASD), and New Zealand's Government Communications Security Bureau (GCSB) – is the continuation of an intelligence partnership formed in the aftermath of the Second World War. Today, the Five Eyes has infiltrated every aspect of modern global communications systems. The world has changed dramatically since the 1940s; then, private documents were stored in filing cabinets under lock and key, and months could pass without one having the need or luxury of making an international phone call. Now, private documents are stored in unknown data centers around the world, international communications are conducted daily, and our lives are lived – ideas exchanged, financial transactions conducted, intimate moments shared – online. [...] This paper calls for a renewed understanding of the obligations of Five Eyes States with respect to the right to privacy, and demands that the laws and regulations that enable intelligence gathering and sharing under the Five Eyes alliance be brought into the light."
Read more:
Media coverage:
A report by the United States Government Accountability Office.
From Why GAO did this study:
"In recent years, information resellers - companies that collect and resell information on individuals - dramatically increased the collection and sharing of personal data for marketing purposes, raising privacy concerns among some in Congress. Recent growth in the use of social media, mobile applications, and other technologies intensified these concerns. GAO was asked to examine privacy issues and information resellers. This report addresses (1) privacy laws applicable to consumer information held by resellers, (2) gaps in the law that may exist, and (3) views on approaches for improving consumer data privacy."
Read more:
Media coverage:
A report by Gus Hosein and Carly Nyst (Privacy International).
Executive Summary:
"Information technology transfer is increasingly a crucial element of development and humanitarian aid initiatives. Social protection programmes are incorporating digitised Management Information Systems and electronic transfers, registration and electoral systems are deploying biometric technologies, the proliferation of mobile phones is facilitating access to increased amounts of data, and technologies are being transferred to support security and rule of law efforts. Many of these programmes and technologies involve the surveillance of individuals, groups, and entire populations. The collection and use of personal information in these development and aid initiatives is without precedent, and subject to few legal safeguards. In this report we show that as development and humanitarian donors and agencies rush to adopt new technologies that facilitate surveillance, they may be creating and supporting systems that pose serious threats to individuals’ human rights, particularly their right to privacy."
Read more:
See also:
A research paper by Alessandro Acquisti and Christina M. Fong.
From the Abstract:
"Surveys of U.S. employers suggest that numerous firms seek information about job applicants online. However, little is known about how this information gathering influences employers’ hiring behavior. We present results from two complementary randomized experiments (a field experiment and an online experiment) on the impact of online information on U.S. firms’ hiring behavior. We manipulate candidates’ personal information that is protected under either federal laws or some state laws, and may be risky for employers to enquire about during interviews, but which may be inferred from applicants' online social media profiles. In the field experiment, we test responses of over 4,000 U.S. employers to a Muslim candidate relative to a Christian candidate, and to a gay candidate relative to a straight candidate. We supplement the field experiment with a randomized, survey-based online experiment with over 1,000 subjects (including subjects with previous human resources experience) testing the effects of the manipulated online information on hypothetical hiring decisions and perceptions of employability."
Read more:
Media coverage:
A blog post on DoctorBeet's Blog.
From the blog post:
"In fact, there is an option in the system settings called 'Collection of watching info:' which is set ON by default. This setting requires the user to scroll down to see it and, unlike most other settings, contains no 'balloon help' to describe what it does. At this point, I decided to do some traffic analysis to see what was being sent. It turns out that viewing information appears to be being sent regardless of whether this option is set to On or Off."
Read more:
See also:
Media coverage:
An article by Wendy M. Grossman (The Guardian).
From the article:
"When is a biometric not a biometric? When it's an ultra-wideband RFID (radio frequency ID) tag which provides such detailed and continuous information about your movements that it makes logging your movements by fingerprints or card check-ins redundant – because it knows where you are to within centimetres. It might sound useful or intrusive – or both, depending on your point of view. And one of its biggest users in the UK (outside of factories that want to trace where potentially dangerous machines are being used) has been a vocational college in West Cheshire that offers training and apprenticeships for 14 to 17-year-olds in fields such as hairdressing, forensics, and accounting."
Read more:
A case study by Eleni Kosta, Jos Dumortier, and Hans Graux (ENISA).
From the Executive Summary:
"This study focuses on two objectives: The first objective is to provide expertise from other certification areas to the reform of the European data protection legislation, as the new proposed legislation identifies privacy certification as a means to achieve implementation of data protection requirements. The second objective is to identify, based on existing knowledge, recommendations and steps to be followed for achieving the objectives of the aforementioned EU cyberstrategy, namely the development of voluntary EU-wide certification schemes building on existing schemes in the EU. In order to collect experiences from existing certification schemes and given the broad range of existing certification schemes, this study addresses Information Security Management Systems (ISMS) certification."
Read more:
Media coverage:
A report by Thomas Haeberlen, Dimitra Liveri, and Matina Lakka (ENISA).
From the Executive summary:
"In this report, ENISA identifies the Member States with operational government Cloud infrastructures and underlines the diversity of Cloud adoption in the public sector in Europe. Moreover through this document, ENISA aims to assist Member States in elaborating a national Cloud strategy implementation, to understand current barriers and suggest solutions to overcome those barriers, and to share the best practices paving the way for a common set of requirements for all Member States (MS)."
Read more: